Azure AKS cluster nodes have public IP addresses
Description
This policy is verifying that Azure Kubernetes Service (AKS) cluster nodes are not assigned public IP addresses. Having a public IP address can be problematic as it exposes the nodes to the internet, which could potentially lead to unauthorized access or malicious attacks. It's a recommended best practice to limit exposure to the web in order to reduce the surface area for these potential threats.
Code Example
go
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true"
name: internal-app
labels:
app: internal-app
spec:
type: LoadBalancer
ports:
- port: 80
selector:
app: internal-appRemediation
Terraform
To fix this issue, add the Service annotation "service.beta.kubernetes.io/azure-load-balancer-internal" and set it to "true" in the Kubernetes service configuration. This will ensure AKS cluster nodes do not have public IP addresses.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0650 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AZURE_143 |